'Inside Security' with Rohan Tandon (Sr. Engineering Manager at Panther)

'Inside Security'
Leen Security
September 16, 2024

In recent years, the security industry has embraced the idea that more data leads to better solutions. This belief has been fueled by advancements in big data, machine learning, and AI. The prevailing mindset is that collecting and processing vast amounts of data will uncover hidden patterns and insights. However, this approach often overlooks a fundamental truth: it's not the volume of data that matters, but the quality and relevance.

In this edition of the 'Inside Security', we will dive deep into the evolution of the data sprawl problem within security with Rohan Tandon (Sr. Engineering Manager at Panther).

The Data Problem in Security: Volume vs. Quality

In security, many organizations have overcorrected by obsessively collecting as much data as possible. The assumption is that more data will lead to better insights, but in reality, this often results in increased complexity and cost without a corresponding improvement in outcomes. Data wrangling becomes a time-consuming task, and instead of gaining clarity, teams are left dealing with overwhelming amounts of noise.

While large datasets are necessary for certain models, the power of machine learning and AI lies in identifying meaningful patterns within the right data, not simply a larger set of it. More data can sometimes obscure valuable signals, making it harder for models to work effectively.

For example, when classifying Microsoft Office files as malware, we found that looking for a single behavior - such as the creation of a mutex system call - was far more effective than analyzing vast amounts of unrelated data. A legitimate document should never create a mutex, and this simple signal allowed us to classify files with nearly 90% accuracy. This case demonstrates that focusing on key indicators can provide better results than combing through an entire feature space.

Data Sprawl and Its Impact on Security

Today, with the rise of GPU processing power, the ability to handle vast amounts of data has expanded dramatically. This has led many in the security field to believe that more data will lead to better security insights. As attack surfaces grow, the data and telemetry we collect expand as well. While this is a natural reaction to evolving threats, it often prioritizes data quantity over quality.

The reality is that more data doesn’t always equate to better outcomes. We need to focus on improving data relevance, identifying the right signals, and reducing unnecessary noise. In the world of security, we often treat data as the ultimate solution, without fully addressing the quality issues that can undermine its usefulness.

Moreover, the idea of a "single pane of glass" has long been discussed but remains unrealistic. Even if such a tool existed, it would likely be too overwhelming to provide real-time, actionable insights. The sheer volume of information would drown out the critical signals, making it difficult for teams to react effectively.

Single Pane of Glass - A Pipe Dream?

The concept of a "single pane of glass" in security - this magical tool or stack where one vendor manages every need – remains a pipe dream. Rohan agrees.

While the idea is enticing, history and reality have shown that specialization is key in complex fields like security. Just as the military, medicine, and other industries require specialized roles, for instance, you wouldn't expect an internist to perform spinal surgery...security also relies on different vendors excelling in specific areas, whether it's endpoint protection, network security, or threat detection.

Attempting to find one vendor to cover everything is not only unrealistic but often counterproductive.

Companies that stray too far from their core competencies tend to see diminishing returns, as we've seen in examples like Salesforce's acquisition of Tableau and other companies outside their core sales and CRM focus. The same holds true in security; vendors that specialize in one area, like CrowdStrike in endpoint security, won't have the same interests or addressable market as a company like Cisco, which specializes in networking.

Furthermore, relying on a single vendor leads to other challenges, such as vendor lock-in. Locking all your data into one vendor's system introduces cost concerns and governance risks. If you decide to switch providers, you may face steep costs or complications when trying to migrate or manage your data.

Single Pane of Glass - Problems

The core issue of this 'larger than life' concept also lies in data overload. A single pane of glass can consolidate massive amounts of data such as logs, alerts, threat feeds etc. into one place, but this often leads to information overload, making it difficult to prioritize and address actual threats. This problem is compounded by the fact that security teams typically operate in silos, each with its own processes and workflows across different security domains.

Beyond operational complexity, there’s also the issue of customization. A product that claims to be a one-size-fits-all solution would require endless customization to meet the specific needs of each organization. This approach doesn’t scale, and a truly productized platform that caters to every organization’s needs doesn’t exist. The idea of building a security platform that answers all needs is not just a false promise...it’s fundamentally impractical.

This dichotomy between the reality of the security landscape and the narrative pushed by vendors is problematic. At conferences and in conversations with CISOs, the concept of a single, integrated platform continues to be promoted, even though industry professionals recognize that it’s nearly impossible to achieve. It’s a pipe dream that’s been parroted for years without critical examination, yet it persists, creating expectations that vendors themselves struggle to meet.

Ultimately, the idea of consolidating everything into one vendor sounds appealing, but the reality of specialization and the complexity of security demands a multi-vendor approach.

The Challenge of Security Vendor Sprawl

Another issue compounding the data problem in security is vendor sprawl. Over time, the security market has become increasingly fragmented, with many vendors specializing in narrow aspects of security. While this specialization has led to better solutions in specific areas, it has also made it difficult to manage the vast array of tools and data sources.

This fragmentation is further driven by compliance requirements, such as SOC 2 or federal regulations, which come with long checklists of security standards that must be met. As a result, organizations often end up adopting multiple tools, each solving a small part of the problem.

The challenge is that managing and integrating these tools becomes complex and costly, adding back to the overall sprawl.

Is There A Possible Solution To The Data Problem?

The first step in addressing the data problem in security is adopting a more strategic approach to data collection. Instead of indiscriminately gathering information from every available source, security teams should focus on identifying the key signals that provide actionable insights. This involves refining what data is collected, analyzing its relevance, and filtering out noise that could obscure meaningful threats.

Security teams need to prioritize data integration and interoperability. Vendor sprawl will remain a challenge, but ensuring that tools can communicate effectively and share critical data without creating bottlenecks will help streamline operations. Rather than relying on a single pane of glass, organizations should focus on creating a modular, multi-vendor ecosystem that allows them to leverage the best tools for specific tasks, while maintaining a unified flow of relevant data.

The future lies not in promising a one-size-fits-all platform, but in developing adaptable, intelligent solutions that enhance human capabilities, filter out the noise, and focus on actionable intelligence. Only then can we hope to solve the data sprawl problem in security and truly stay ahead of evolving threats.

The push to gather more data in security has created significant challenges, from overwhelming noise to vendor sprawl. While we have the tools and computational power to process vast amounts of information, the key to effective security lies in focusing on quality, not quantity. The future of security will depend on our ability to filter out the noise and focus on the signals that truly matter.

. . .

To connect with Rohan, you can reach out to him via his Linkedin.